Find, fix and prevent vulnerabilities in your code.
high severity
new
- Vulnerable module: undici
- Introduced through: @actions/tool-cache@2.0.2
Detailed paths
-
Introduced through: rust-toolchain@crusty-pie/toolchain#bb25006f87c889ae1e40a50676d71ec6935584e4 › @actions/tool-cache@2.0.2 › @actions/http-client@2.2.3 › undici@5.29.0Remediation: Upgrade to @actions/tool-cache@3.0.0.
-
Introduced through: rust-toolchain@crusty-pie/toolchain#bb25006f87c889ae1e40a50676d71ec6935584e4 › @actions/tool-cache@2.0.2 › @actions/core@1.11.1 › @actions/http-client@2.2.3 › undici@5.29.0Remediation: Upgrade to @actions/tool-cache@3.0.0.
Overview
undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) in the PerMessageDeflate.decompress() method of the permessage-deflate extension. An attacker can cause excessive memory usage by sending specially crafted compressed WebSocket frames that decompress to a very large size, potentially leading to process crashes or unresponsiveness.
Remediation
Upgrade undici to version 6.24.0, 7.24.0 or higher.
References
high severity
new
- Vulnerable module: undici
- Introduced through: @actions/tool-cache@2.0.2
Detailed paths
-
Introduced through: rust-toolchain@crusty-pie/toolchain#bb25006f87c889ae1e40a50676d71ec6935584e4 › @actions/tool-cache@2.0.2 › @actions/http-client@2.2.3 › undici@5.29.0Remediation: Upgrade to @actions/tool-cache@3.0.0.
-
Introduced through: rust-toolchain@crusty-pie/toolchain#bb25006f87c889ae1e40a50676d71ec6935584e4 › @actions/tool-cache@2.0.2 › @actions/core@1.11.1 › @actions/http-client@2.2.3 › undici@5.29.0Remediation: Upgrade to @actions/tool-cache@3.0.0.
Overview
undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this package are vulnerable to Uncaught Exception through improper validation of the server_max_window_bits parameter in the permessage-deflate extension. An attacker can cause the process to terminate unexpectedly by sending a maliciously crafted value outside the valid range, which triggers an unhandled exception when the client attempts to create a zlib InflateRaw instance.
Remediation
Upgrade undici to version 6.24.0, 7.24.0 or higher.
References
medium severity
new
- Vulnerable module: undici
- Introduced through: @actions/tool-cache@2.0.2
Detailed paths
-
Introduced through: rust-toolchain@crusty-pie/toolchain#bb25006f87c889ae1e40a50676d71ec6935584e4 › @actions/tool-cache@2.0.2 › @actions/http-client@2.2.3 › undici@5.29.0Remediation: Upgrade to @actions/tool-cache@3.0.0.
-
Introduced through: rust-toolchain@crusty-pie/toolchain#bb25006f87c889ae1e40a50676d71ec6935584e4 › @actions/tool-cache@2.0.2 › @actions/core@1.11.1 › @actions/http-client@2.2.3 › undici@5.29.0Remediation: Upgrade to @actions/tool-cache@3.0.0.
Overview
undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this package are vulnerable to HTTP Request Smuggling in the processHeader() while handling HTTP/1.1 requests containing duplicate Content-Length headers with differing casing. An attacker can bypass access controls, poison caches, hijack credentials, or cause service disruption by sending specially crafted HTTP requests that are interpreted inconsistently by proxies and backend servers.
Remediation
Upgrade undici to version 6.24.0, 7.24.0 or higher.
References
medium severity
- Vulnerable module: undici
- Introduced through: @actions/tool-cache@2.0.2
Detailed paths
-
Introduced through: rust-toolchain@crusty-pie/toolchain#bb25006f87c889ae1e40a50676d71ec6935584e4 › @actions/tool-cache@2.0.2 › @actions/http-client@2.2.3 › undici@5.29.0Remediation: Upgrade to @actions/tool-cache@3.0.0.
-
Introduced through: rust-toolchain@crusty-pie/toolchain#bb25006f87c889ae1e40a50676d71ec6935584e4 › @actions/tool-cache@2.0.2 › @actions/core@1.11.1 › @actions/http-client@2.2.3 › undici@5.29.0Remediation: Upgrade to @actions/tool-cache@3.0.0.
Overview
undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the decompression chain. An attacker can cause high CPU usage and excessive memory allocation by sending HTTP responses with a large number of chained compression steps in the Content-Encoding header.
Remediation
Upgrade undici to version 6.23.0, 7.18.2 or higher.
References
medium severity
new
- Vulnerable module: undici
- Introduced through: @actions/tool-cache@2.0.2
Detailed paths
-
Introduced through: rust-toolchain@crusty-pie/toolchain#bb25006f87c889ae1e40a50676d71ec6935584e4 › @actions/tool-cache@2.0.2 › @actions/http-client@2.2.3 › undici@5.29.0Remediation: Upgrade to @actions/tool-cache@3.0.0.
-
Introduced through: rust-toolchain@crusty-pie/toolchain#bb25006f87c889ae1e40a50676d71ec6935584e4 › @actions/tool-cache@2.0.2 › @actions/core@1.11.1 › @actions/http-client@2.2.3 › undici@5.29.0Remediation: Upgrade to @actions/tool-cache@3.0.0.
Overview
undici is an An HTTP/1.1 client, written from scratch for Node.js
Affected versions of this package are vulnerable to CRLF Injection via the upgrade option of the client.request() function. An attacker can inject malicious data into HTTP headers or prematurely terminate HTTP requests by sending specially crafted input, potentially leading to unauthorized information disclosure or bypassing of security controls.
Remediation
Upgrade undici to version 6.24.0, 7.24.0 or higher.